@maci-protocol/circuits 0.0.0-ci.f9da2fc → 0.0.0-ci.fb960ed

package/circom/circuits.json

@@ -1,12 +1,12 @@
 {
   "PollJoining_10_test": {
-    "file": "./voter/poll",
+    "file": "./voter/PollJoining",
     "template": "PollJoining",
     "params": [10],
-    "pubs": ["nullifier", "stateRoot", "pollPubKey", "pollId"]
+    "pubs": ["nullifier", "stateRoot", "pollPublicKey", "pollId"]
   },
   "PollJoined_10_test": {
-    "file": "./voter/poll",
+    "file": "./voter/PollJoined",
     "template": "PollJoined",
     "params": [10],
     "pubs": ["stateRoot"]

package/circom/coordinator/non-qv/processMessages.circom

@@ -5,11 +5,16 @@ include "./mux1.circom";
 // zk-kit imports
 include "./safe-comparators.circom";
 // local imports
-include "../../utils/hashers.circom";
-include "../../utils/messageToCommand.circom";
-include "../../utils/privToPubKey.circom";
+include "../../utils/PoseidonHasher.circom";
+include "../../utils/MessageHasher.circom";
+include "../../utils/MessageToCommand.circom";
+include "../../utils/PrivateToPublicKey.circom";
 include "../../utils/non-qv/stateLeafAndBallotTransformer.circom";
-include "../../utils/trees/incrementalMerkleTree.circom";
+include "../../utils/trees/MerkleTreeInclusionProof.circom";
+include "../../utils/trees/LeafExists.circom";
+include "../../utils/trees/CheckRoot.circom";
+include "../../utils/trees/MerkleGeneratePathIndices.circom";
+include "../../utils/trees/BinaryMerkleRoot.circom";
 include "../../utils/trees/incrementalQuinaryTree.circom";
 
 /**
@@ -50,11 +55,11 @@ include "../../utils/trees/incrementalQuinaryTree.circom";
     // Value of chainHash at end of batch
     signal input outputBatchHash;
     // The messages.
-    signal input msgs[batchSize][MSG_LENGTH];
+    signal input messages[batchSize][MSG_LENGTH];
     // The coordinator's private key.
-    signal input coordPrivKey;
+    signal input coordinatorPrivateKey;
     // The ECDH public key per message.
-    signal input encPubKeys[batchSize][2];
+    signal input encryptionPublicKeys[batchSize][2];
     // The current state root (before the processing).
     signal input currentStateRoot;
     // The actual tree depth (might be <= stateTreeDepth).
@@ -135,7 +140,7 @@ include "../../utils/trees/incrementalQuinaryTree.circom";
     chainHash[0] = inputBatchHash;
     for (var i = 0; i < batchSize; i++) {
         // calculate message hash
-        computedMessageHashers[i] = MessageHasher()(msgs[i], encPubKeys[i]);
+        computedMessageHashers[i] = MessageHasher()(messages[i], encryptionPublicKeys[i]);
         // check if message is valid or not (if index of message is less than index of last valid message in batch)
         var batchStartIndexValid = SafeLessThan(32)([index + i, batchEndIndex]);
         // calculate chain hash if message is valid
@@ -160,7 +165,7 @@ include "../../utils/trees/incrementalQuinaryTree.circom";
     // Ensure that the coordinator's public key from the contract is correct
     // based on the given private key - that is, the prover knows the
     // coordinator's private key.
-    var derivedPubKey[2] = PrivToPubKey()(coordPrivKey);
+    var derivedPubKey[2] = PrivateToPublicKey()(coordinatorPrivateKey);
     var derivedPubKeyHash = PoseidonHasher(2)(derivedPubKey);
     derivedPubKeyHash === coordinatorPublicKeyHash;
 
@@ -191,7 +196,7 @@ include "../../utils/trees/incrementalQuinaryTree.circom";
             computedCommandsSigR8[i],
             computedCommandsSigS[i],
             computedCommandsPackedCommandOut[i]
-        ) = MessageToCommand()(msgs[i], coordPrivKey, encPubKeys[i]);
+        ) = MessageToCommand()(messages[i], coordinatorPrivateKey, encryptionPublicKeys[i]);
     }
 
     // Process messages in reverse order.
@@ -441,3 +446,4 @@ template ProcessOneNonQv(stateTreeDepth, voteOptionTreeDepth) {
 
     newBallotRoot <== computedNewBallotQip;
 }
+

package/circom/coordinator/non-qv/tallyVotes.circom

@@ -5,10 +5,12 @@ include "./comparators.circom";
 // zk-kit import
 include "./unpack-element.circom";
 // local imports
-include "../../utils/trees/incrementalMerkleTree.circom";
+include "../../utils/trees/CheckRoot.circom";
+include "../../utils/trees/MerkleGeneratePathIndices.circom";
+include "../../utils/trees/LeafExists.circom";
 include "../../utils/trees/incrementalQuinaryTree.circom";
-include "../../utils/calculateTotal.circom";
-include "../../utils/hashers.circom";
+include "../../utils/CalculateTotal.circom";
+include "../../utils/PoseidonHasher.circom";
 
 /**
  * Processes batches of votes and verifies their validity in a Merkle tree structure.
@@ -230,3 +232,4 @@ template TallyVotesNonQv(
     
     computedNewTallyCommitment === newTallyCommitment;
 }
+

package/circom/coordinator/qv/processMessages.circom

@@ -5,12 +5,17 @@ include "./mux1.circom";
 // zk-kit imports
 include "./safe-comparators.circom";
 // local imports
-include "../../utils/hashers.circom";
-include "../../utils/messageToCommand.circom";
-include "../../utils/privToPubKey.circom";
+include "../../utils/PoseidonHasher.circom";
+include "../../utils/MessageHasher.circom";
+include "../../utils/MessageToCommand.circom";
+include "../../utils/PrivateToPublicKey.circom";
 include "../../utils/qv/stateLeafAndBallotTransformer.circom";
 include "../../utils/trees/incrementalQuinaryTree.circom";
-include "../../utils/trees/incrementalMerkleTree.circom";
+include "../../utils/trees/MerkleTreeInclusionProof.circom";
+include "../../utils/trees/LeafExists.circom";
+include "../../utils/trees/CheckRoot.circom";
+include "../../utils/trees/MerkleGeneratePathIndices.circom";
+include "../../utils/trees/BinaryMerkleRoot.circom";
 
 /**
  * Proves the correctness of processing a batch of MACI messages.
@@ -50,11 +55,11 @@ template ProcessMessages(
     // Value of chainHash at end of batch
     signal input outputBatchHash;
     // The messages.
-    signal input msgs[batchSize][MSG_LENGTH];
+    signal input messages[batchSize][MSG_LENGTH];
     // The coordinator's private key.
-    signal input coordPrivKey;
+    signal input coordinatorPrivateKey;
     // The ECDH public key per message.
-    signal input encPubKeys[batchSize][2];
+    signal input encryptionPublicKeys[batchSize][2];
     // The current state root (before the processing).
     signal input currentStateRoot;
     // The actual tree depth (might be <= stateTreeDepth).
@@ -130,7 +135,7 @@ template ProcessMessages(
 
     for (var i = 0; i < batchSize; i++) {
         // calculate message hash
-        computedMessageHashers[i] = MessageHasher()(msgs[i], encPubKeys[i]);
+        computedMessageHashers[i] = MessageHasher()(messages[i], encryptionPublicKeys[i]);
         // check if message is valid or not (if index of message is less than index of last valid message in batch)
         var batchStartIndexValid = SafeLessThan(32)([index + i, batchEndIndex]);
         // calculate chain hash if message is valid
@@ -154,7 +159,7 @@ template ProcessMessages(
     // Ensure that the coordinator's public key from the contract is correct
     // based on the given private key - that is, the prover knows the
     // coordinator's private key.
-    var derivedPubKey[2] = PrivToPubKey()(coordPrivKey);
+    var derivedPubKey[2] = PrivateToPublicKey()(coordinatorPrivateKey);
     var derivedPubKeyHash = PoseidonHasher(2)(derivedPubKey);
     derivedPubKeyHash === coordinatorPublicKeyHash;
 
@@ -185,7 +190,7 @@ template ProcessMessages(
             computedCommandsSigR8[i],
             computedCommandsSigS[i],
             computedCommandsPackedCommandOut[i]
-        ) = MessageToCommand()(msgs[i], coordPrivKey, encPubKeys[i]);
+        ) = MessageToCommand()(messages[i], coordinatorPrivateKey, encryptionPublicKeys[i]);
     }
 
     // Process messages in reverse order.
@@ -443,3 +448,4 @@ template ProcessOne(stateTreeDepth, voteOptionTreeDepth) {
 
     newBallotRoot <== computedNewBallotQip;
 }
+

package/circom/coordinator/qv/tallyVotes.circom

@@ -5,10 +5,12 @@ include "./comparators.circom";
 // zk-kit import
 include "./unpack-element.circom";
 // local imports
-include "../../utils/trees/incrementalMerkleTree.circom";
+include "../../utils/trees/CheckRoot.circom";
+include "../../utils/trees/MerkleGeneratePathIndices.circom";
+include "../../utils/trees/LeafExists.circom";
 include "../../utils/trees/incrementalQuinaryTree.circom";
-include "../../utils/calculateTotal.circom";
-include "../../utils/hashers.circom";
+include "../../utils/CalculateTotal.circom";
+include "../../utils/PoseidonHasher.circom";
 
 /**
  * Processes batches of votes and verifies their validity in a Merkle tree structure.

package/circom/utils/{calculateTotal.circom → CalculateTotal.circom}

@@ -8,7 +8,9 @@ pragma circom 2.0.0;
  * final output reflects the cumulative total of the inputs provided.
  */
 template CalculateTotal(n) {
+    // Array of values.
     signal input nums[n];
+    // Total sum.
     signal output sum;
 
     signal sums[n];

package/circom/utils/{verifySignature.circom → EdDSAPoseidonVerifier.circom}

@@ -8,60 +8,69 @@ include "./bitify.circom";
 include "./escalarmulany.circom";
 include "./escalarmulfix.circom";
 // local imports
-include "./hashers.circom";
+include "./PoseidonHasher.circom";
 
 /**
  * Variant of the EdDSAPoseidonVerifier template from circomlib
  * https://github.com/iden3/circomlib/blob/master/circuits/eddsa.circom
  */
-template EdDSAPoseidonVerifier_patched() {
+template EdDSAPoseidonVerifier() {
+    // The prime subgroup order.
+    var SUBGROUP_ORDER = 2736030358979909402780800718157159386076813972158567259200215660948447373041;
+
+    // The base point of the BabyJubJub curve.
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+
     // The x and y coordinates of the public key.
-    signal input Ax;
-    signal input Ay;
+    signal input publicKeyX;
+    signal input publicKeyY;
     // Signature scalar.
-    signal input S;
+    signal input signatureScalar;
     // The x and y coordinates of the signature point.
-    signal input R8x;
-    signal input R8y;
+    signal input signaturePointX;
+    signal input signaturePointY;
     // Message hash.
-    signal input M;
+    signal input messageHash;
+    // Output signal for the validity of the signature.
+    signal output isValid;
 
-    signal output valid;
-
-    // Ensure S<Subgroup Order.
-    // convert the signature scalar S into its binary representation.
-    var computedNum2Bits[254] = Num2Bits(254)(S);
+    // Ensure signatureScalar<Subgroup Order.
+    // convert the signature scalar signatureScalar into its binary representation.
+    var computedNum2Bits[254] = Num2Bits(254)(signatureScalar);
 
     var computedCompConstantIn[254] = computedNum2Bits;
     computedCompConstantIn[253] = 0;
 
-    // A component that ensures S is within a valid range, 
+    // A component that ensures signatureScalar is within a valid range, 
     // comparing it against a constant representing the subgroup order.
-    var computedCompConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040)(computedCompConstantIn);
+    var computedCompConstant = CompConstant(SUBGROUP_ORDER - 1)(computedCompConstantIn);
 
-    // Calculate the h = H(R,A, msg).
-    var computedH2Bits[254] = Num2Bits_strict()(PoseidonHasher(5)([R8x, R8y, Ax, Ay, M]));
+    // Calculate the h = H(R, A, msg).
+    var computedH2Bits[254] = Num2Bits_strict()(PoseidonHasher(5)([
+      signaturePointX,
+      signaturePointY,
+      publicKeyX,
+      publicKeyY,
+      messageHash
+    ]));
 
     // These components perform point doubling operations on the public key
     // to align it within the correct subgroup as part of the verification process.
-    var (computedDbl1XOut, computedDbl1YOut) = BabyDbl()(Ax, Ay);
-    var (computedDbl2XOut, computedDbl2YOut) = BabyDbl()(computedDbl1XOut, computedDbl1YOut);
-    var (computedDbl3XOut, computedDbl3YOut) = BabyDbl()(computedDbl2XOut, computedDbl2YOut);
+    var (computedDouble1XOut, computedDouble1YOut) = BabyDbl()(publicKeyX, publicKeyY);
+    var (computedDouble2XOut, computedDouble2YOut) = BabyDbl()(computedDouble1XOut, computedDouble1YOut);
+    var (computedDouble3XOut, computedDouble3YOut) = BabyDbl()(computedDouble2XOut, computedDouble2YOut);
 
     // A component that performs scalar multiplication of the 
     // adjusted public key by the hash output, essential for the verification calculation.
-    var computedEscalarMulAny[2] = EscalarMulAny(254)(computedH2Bits, [computedDbl3XOut, computedDbl3YOut]);
+    var computedEscalarMulAny[2] = EscalarMulAny(254)(computedH2Bits, [computedDouble3XOut, computedDouble3YOut]);
 
     // Compute the right side: right =  R8 + right2.
-    var (computedAddRightXOut, computedAddRightYOut) = BabyAdd()(R8x, R8y, computedEscalarMulAny[0], computedEscalarMulAny[1]);
-
-    // Calculate the left side: left = S * B8.
-    var BASE8[2] = [
-        5299619240641551281634865583518297030282874472190772894086521144482721001553,
-        16950150798460657717958625567821834550301663161624707787222815936182638968203
-    ];
+    var (computedAddRightXOut, computedAddRightYOut) = BabyAdd()(signaturePointX, signaturePointY, computedEscalarMulAny[0], computedEscalarMulAny[1]);
     
-    // Fixed-base scalar multiplication of a base point by S.
+    // Fixed-base scalar multiplication of a base point by signatureScalar.
     var computedEscalarMulFix[2] = EscalarMulFix(254, BASE8)(computedNum2Bits);
 
     // Components to check the equality of x and y coordinates 
@@ -73,45 +82,10 @@ template EdDSAPoseidonVerifier_patched() {
     // Components to handle edge cases and ensure that all conditions 
     // for a valid signature are met, including the 
     // public key not being zero and other integrity checks.
-    var computedIsAxZero = IsZero()(Ax);
+    var computedIsAxZero = IsZero()(publicKeyX);
     var computedIsAxEqual = IsEqual()([computedIsAxZero, 0]);
     var computedIsCcZero = IsZero()(computedCompConstant);
     var computedIsValid = IsEqual()([computedIsLeftRightValid + computedIsAxEqual + computedIsCcZero, 3]);
 
-    valid <== computedIsValid;
-}
-
-/**
- * Verifies the EdDSA signature for a given command, which has exactly four elements in the hash preimage.
- */
-template VerifySignature() {
-    // Public key of the signer, consisting of two coordinates [x, y].
-    signal input pubKey[2];
-    // R8 point from the signature, consisting of two coordinates [x, y]. 
-    signal input R8[2];
-    // Scalar component of the signature.
-    signal input S;
-
-    // Number of elements in the hash preimage.
-    var k = 4;
-    
-    // The preimage data that was hashed, an array of four elements.
-    signal input preimage[k];
-
-    signal output valid;
-
-    // Hash the preimage using the Poseidon hashing function configured for four inputs.
-    var computedM = PoseidonHasher(4)(preimage);
-
-    // Instantiate the patched EdDSA Poseidon verifier with the necessary inputs.
-    var computedVerifier = EdDSAPoseidonVerifier_patched()(
-        pubKey[0],
-        pubKey[1],
-        S,
-        R8[0],
-        R8[1],
-        computedM
-    );
-
-    valid <== computedVerifier;
+    isValid <== computedIsValid;
 }

package/circom/utils/MessageHasher.circom

@@ -0,0 +1,57 @@
+pragma circom 2.0.0;
+
+include "./PoseidonHasher.circom";
+
+/**
+ * Hashes a MACI message and the public key used for message encryption. 
+ * This template processes 10 message inputs and a 2-element public key
+ * combining them using the Poseidon hash function. The hashing process involves two stages: 
+ * 1. hashing message parts data groups of five and,
+ * 2. hashing the grouped results alongside the first message input and 
+ * the encryption public key to produce a final hash output. 
+ */
+template MessageHasher() {
+    // Message parts
+    var MESSAGE_PARTS = 10;
+    var STATE_INDEX = 0;
+    var VOTE_OPTION_INDEX = 1;
+    var NEW_VOTE_WEIGHT = 2;
+    var NONCE = 3;
+    var POLL_ID = 4;
+    var SIGNATURE_POINT_X = 5;
+    var SIGNATURE_POINT_Y = 6;
+    var SIGNATURE_SCALAR = 7;
+    var ENCRYPTED_PUBLIC_KEY_X = 8;
+    var ENCRYPTED_PUBLIC_KEY_Y = 9;
+
+    // The MACI message is composed of 10 parts.
+    signal input data[MESSAGE_PARTS];
+    // the public key used to encrypt the message.
+    signal input encryptionPublicKey[2];
+
+    // we output an hash.
+    signal output hash;
+
+    var computedHasherPart1 = PoseidonHasher(5)([
+        data[STATE_INDEX],
+        data[VOTE_OPTION_INDEX],
+        data[NEW_VOTE_WEIGHT],
+        data[NONCE],
+        data[POLL_ID]
+    ]);
+
+    var computedHasherPart2 = PoseidonHasher(5)([
+        data[SIGNATURE_POINT_X],        
+        data[SIGNATURE_POINT_Y],
+        data[SIGNATURE_SCALAR],
+        data[ENCRYPTED_PUBLIC_KEY_X],
+        data[ENCRYPTED_PUBLIC_KEY_Y]
+    ]);
+
+    hash <== PoseidonHasher(4)([
+        computedHasherPart1,
+        computedHasherPart2,
+        encryptionPublicKey[0],
+        encryptionPublicKey[1]        
+    ]);
+}

package/circom/utils/MessageToCommand.circom

@@ -0,0 +1,107 @@
+pragma circom 2.0.0;
+
+// circomlib import
+include "./bitify.circom";
+// zk-kit imports
+include "./ecdh.circom";
+include "./unpack-element.circom";
+include "./poseidon-cipher.circom";
+
+/**
+ * Converts a MACI message to a command by decrypting it.
+ * Processes encrypted MACI messages into structured MACI commands 
+ * by decrypting using a shared key derived from ECDH. After decryption, 
+ * unpacks and assigns decrypted values to specific command components. 
+ */
+template MessageToCommand() {
+    var MESSAGE_LENGTH = 7;
+    var PACKED_COMMAND_LENGTH = 4;
+    var UNPACK_ELEMENT_LENGTH = 5;
+    var DECRYPTED_LENGTH = 9;
+    var MESSAGE_PARTS = 10;
+    
+    // Element indices.
+    var ELEMENT_POLL_ID = 0;
+    var ELEMENT_NONCE = 1;
+    var ELEMENT_NEW_VOTE_WEIGHT = 2;
+    var ELEMENT_VOTE_OPTION_INDEX = 3;
+    var ELEMENT_STATE_INDEX = 4;
+
+    // Command indices.
+    var COMMAND_STATE_INDEX = 0;
+    var COMMAND_PUBLIC_KEY_X = 1;
+    var COMMAND_PUBLIC_KEY_Y = 2;
+    var COMMAND_SALT = 3;
+
+    // Decryptor indices.
+    var SIGNATURE_POINT_X = 4;
+    var SIGNATURE_POINT_Y = 5;
+    var SIGNATURE_SCALAR = 6;
+
+    // The message is an array of 10 parts.
+    signal input message[MESSAGE_PARTS];
+    // The encryption private key
+    signal input encryptionPrivateKey;
+    // The encryption public key
+    signal input encryptionPublicKey[2];
+
+    // Command parts.
+    signal output stateIndex;
+    // The new public key.
+    signal output newPublicKey[2];
+    // The vote option index.
+    signal output voteOptionIndex;
+    // The new vote weight.
+    signal output newVoteWeight;
+    // The nonce.
+    signal output nonce;
+    // The poll id.
+    signal output pollId;
+    // The salt.
+    signal output salt;
+    // The signature point.
+    signal output signaturePoint[2];
+    // The signature scalar.
+    signal output signatureScalar;
+
+    // Packed command. 
+    signal output packedCommandOut[PACKED_COMMAND_LENGTH];
+
+    // Generate the shared key for decrypting the message.
+    var computedEcdh[2] = Ecdh()(encryptionPrivateKey, encryptionPublicKey);
+
+    // Decrypt the message using Poseidon decryption.
+    var computedDecryptor[DECRYPTED_LENGTH] = PoseidonDecryptWithoutCheck(MESSAGE_LENGTH)(
+        message,
+        0, 
+        computedEcdh
+    );
+
+    // Save the decrypted message into a packed command signal.
+    signal packedCommand[PACKED_COMMAND_LENGTH];
+
+    for (var i = 0; i < PACKED_COMMAND_LENGTH; i++) {
+        packedCommand[i] <== computedDecryptor[i];
+    }
+
+    var computedUnpackElement[UNPACK_ELEMENT_LENGTH] = UnpackElement(UNPACK_ELEMENT_LENGTH)(
+        packedCommand[COMMAND_STATE_INDEX]
+    );
+
+    // Everything below were packed into the first element.
+    pollId <== computedUnpackElement[ELEMENT_POLL_ID];
+    nonce <== computedUnpackElement[ELEMENT_NONCE];
+    newVoteWeight <== computedUnpackElement[ELEMENT_NEW_VOTE_WEIGHT];
+    voteOptionIndex <== computedUnpackElement[ELEMENT_VOTE_OPTION_INDEX];
+    stateIndex <== computedUnpackElement[ELEMENT_STATE_INDEX];
+
+    newPublicKey[0] <== packedCommand[COMMAND_PUBLIC_KEY_X];
+    newPublicKey[1] <== packedCommand[COMMAND_PUBLIC_KEY_Y];
+    salt <== packedCommand[COMMAND_SALT];
+
+    signaturePoint[0] <== computedDecryptor[SIGNATURE_POINT_X];
+    signaturePoint[1] <== computedDecryptor[SIGNATURE_POINT_Y];
+    signatureScalar <== computedDecryptor[SIGNATURE_SCALAR];
+
+    packedCommandOut <== packedCommand;
+}

package/circom/utils/PoseidonHasher.circom

@@ -0,0 +1,29 @@
+pragma circom 2.0.0;
+
+// zk-kit imports
+include "./poseidon-cipher.circom";
+
+/**
+ * Computes the Poseidon hash for an array of n inputs, including a default initial state 
+ * of zero not counted in n. First, extends the inputs by prepending a zero, creating an array [0, inputs]. 
+ * Then, the Poseidon hash of the extended inputs is calculated, with the first element of the 
+ * result assigned as the output. 
+ */
+template PoseidonHasher(n) {
+    signal input inputs[n];
+    signal output out;
+
+    // [0, inputs].
+    var computedExtendedInputs[n + 1];
+    computedExtendedInputs[0] = 0;
+
+    for (var i = 0; i < n; i++) {
+        computedExtendedInputs[i + 1] = inputs[i];
+    }
+
+    // Compute the Poseidon hash of the extended inputs.
+    var computedPoseidonPerm[n + 1]; 
+    computedPoseidonPerm = PoseidonPerm(n + 1)(computedExtendedInputs);
+
+    out <== computedPoseidonPerm[0];
+}

package/circom/utils/{privToPubKey.circom → PrivateToPublicKey.circom}

@@ -9,28 +9,30 @@ include "./escalarmulfix.circom";
  * Converts a private key to a public key on the BabyJubJub curve.
  * The input private key needs to be hashed and then pruned before.
  */
-template PrivToPubKey() {
+template PrivateToPublicKey() {
     // The base point of the BabyJubJub curve.
     var BASE8[2] = [
         5299619240641551281634865583518297030282874472190772894086521144482721001553,
         16950150798460657717958625567821834550301663161624707787222815936182638968203
     ];
 
-    // Prime subgroup order 'l'.
-    var l = 2736030358979909402780800718157159386076813972158567259200215660948447373041;
+    // The prime subgroup order.
+    var SUBGROUP_ORDER = 2736030358979909402780800718157159386076813972158567259200215660948447373041;
 
-    signal input privKey;
-    signal output pubKey[2];
+    // The private key
+    signal input privateKey;
+    // The public key
+    signal output publicKey[2];
 
-    // Check if private key is in the prime subgroup order 'l'
-    var isLessThan = LessThan(251)([privKey, l]);
+    // Check if private key is in the prime subgroup order
+    var isLessThan = LessThan(251)([privateKey, SUBGROUP_ORDER]);
     isLessThan === 1;
 
     // Convert the private key to bits.
-    var computedPrivBits[253] = Num2Bits(253)(privKey);
+    var computedPrivBits[253] = Num2Bits(253)(privateKey);
 
     // Perform scalar multiplication with the basepoint.
     var computedEscalarMulFix[2] = EscalarMulFix(253, BASE8)(computedPrivBits);
 
-    pubKey <== computedEscalarMulFix;
+    publicKey <== computedEscalarMulFix;
 }

package/circom/utils/VerifySignature.circom

@@ -0,0 +1,39 @@
+pragma circom 2.0.0;
+
+// local imports
+include "./EdDSAPoseidonVerifier.circom";
+include "./PoseidonHasher.circom";
+
+/**
+ * Verifies the EdDSA signature for a given command, which has exactly four elements in the hash preimage.
+ */
+template VerifySignature() {
+    // Number of elements in the hash preimage.
+    var PRE_IMAGE_LENGTH = 4;
+
+    // Public key of the signer, consisting of two coordinates [x, y].
+    signal input publicKey[2];
+    // signaturePoint point from the signature, consisting of two coordinates [x, y]. 
+    signal input signaturePoint[2];
+    // Scalar component of the signature.
+    signal input signatureScalar;
+    // The preimage data that was hashed, an array of four elements.
+    signal input preimage[PRE_IMAGE_LENGTH];
+    // The validity of the signature.
+    signal output isValid;
+
+    // Hash the preimage using the Poseidon hashing function configured for four inputs.
+    var computedPreimage = PoseidonHasher(4)(preimage);
+
+    // Instantiate the patched EdDSA Poseidon verifier with the necessary inputs.
+    var computedIsValid = EdDSAPoseidonVerifier()(
+        publicKey[0],
+        publicKey[1],
+        signatureScalar,
+        signaturePoint[0],
+        signaturePoint[1],
+        computedPreimage
+    );
+
+    isValid <== computedIsValid;
+}

package/circom/utils/non-qv/messageValidator.circom

@@ -3,7 +3,7 @@ pragma circom 2.0.0;
 // zk-kit imports
 include "./safe-comparators.circom";
 // local imports
-include "../verifySignature.circom";
+include "../VerifySignature.circom";
 
 /**
  * Checks if a MACI message is valid or not.
@@ -28,7 +28,7 @@ template MessageValidatorNonQv() {
     // Packed command.
     signal input cmd[PACKED_CMD_LENGTH];
     // Public key of the state leaf (user).
-    signal input pubKey[2];
+    signal input publicKey[2];
     // ECDSA signature of the command (R part).
     signal input sigR8[2];
     // ECDSA signature of the command (S part).
@@ -60,7 +60,7 @@ template MessageValidatorNonQv() {
     var computedIsNonceValid = IsEqual()([originalNonce + 1, nonce]);
 
     // Check (4) - The signature must be correct.    
-    var computedIsSignatureValid = VerifySignature()(pubKey, sigR8, sigS, cmd);
+    var computedIsSignatureValid = VerifySignature()(publicKey, sigR8, sigS, cmd);
  
     // Check (5) - There must be sufficient voice credits.
     // The check ensure that currentVoiceCreditBalance + (currentVotesForOption) >= (voteWeight).

package/circom/utils/non-qv/stateLeafAndBallotTransformer.circom

@@ -85,8 +85,8 @@ template StateLeafAndBallotTransformerNonQv() {
     );
 
     // If the message is valid then we swap out the public key.
-    // This means using a Mux1() for pubKey[0] and another one
-    // for pubKey[1].
+    // This means using a Mux1() for publicKey[0] and another one
+    // for publicKey[1].
     var computedNewSlPubKey0Mux = Mux1()([slPubKey[0], cmdNewPubKey[0]], computedMessageValidator);
     var computedNewSlPubKey1Mux = Mux1()([slPubKey[1], cmdNewPubKey[1]], computedMessageValidator);